Meet Clair, open source vulnerability analysis on containers

DockerCon Barcelona has lots of buzz coming out of it and we will be covering all of the action here this week.  We wanted to lead off with a story that was actually broke this past Friday from the CoreOS team. They have released a new open source tool called Clair. Clair performs vulnerability analysis on containers. As part of CoreOS’s Quay your container infrastructure can be automatically scanned for vulnerabilities.

I had a chance to speak with Joey Schorr from CoreOs one of the engineers behind Clair. Calling it vulnerability analysis rather scanning per se is actually much more accurate. Unlike vulnerability scanning in traditional servers and infrastructure, Clair is looking at manifests and other registry like indexes and seeing what packages or components are out of date. If out of date packages or components are found, Clair and Quay can notify you.

Schorr told me they purposefully did not build in patching or other remediation beyond notification. This seems something that a 3rd party may want build using APIs built in Claire.

Below is a slide show showing more about Clair and Quay’s new service:

[embeddoc url=”https://cloudnativenow.com/wp-content/uploads/2015/11/Identifying-Common-Vulnerabilities-and-Exposures-in-Containers-Final.pptx” viewer=”microsoft”]

It is good to see CoreOS and other container vendors hitting the container security question head on. This reminds me of the early years of the VMware era where many were questioning the security of hypervisors and the result was an explosion of hypervisor/VM security tools. Some of these were acquired by VMware directly others formed a vibrant ecosystem. I suspect a similar path will be forged here.

Stay tuned for more DockerCon 15 news this week.